Secure Computing to Develop Type Enforced Tux
Secure Computing Corporation, makers of security software packages for business and government organizations, has won a contract with the National Security Agency to develop a "robust, secure version of Linux" for use in the agency's intelligence and information systems.
But while many in the Linux community are celebrating another Linux conversion, others point to the GNU General Public License under which Linux may be further developed, and wonder if the fruits of the SCC's labor will be offered freely back to the community that made such fruits possible.
In a press release/FAQ, Secure Computing addressed GPL questions last, saying "it is our intention to be an active, responsible member of the open source community," and that the company will act "within the constraints this imposes." While the company has not said directly that its changes will be made freely available under the GPL, it is clear that Secure Computing Corporation is looking through the current contract with the NSA to see the value of having what they call a "Linux-based secure operating system on which to host our products".
The concerns over what Secure Computing will do with Linux have to do in part with the "Type Enforcement Technology" the company plans to deploy. Having successfully used this security technology in support of its UNIX firewall, Sidewinder, Secure Computing says its modifications will include a flexible policy engine that, while its functionality has not yet been fully determined, will nonetheless "support a broad range of basic applications". Secure Computing says it will open source both their policy enforcement code modifications to the kernel, as well as this "general purpose" policy engine, while keeping the policy engines for its own products (i.e., Sidewinder, which is the main firewall used by the Department of Defense) proprietary. The term "policy engine" refers to the part of the software that monitors adherence to an organization's rules and procedures governing acceptable use of resources and security practices.
Secure Computing's Type Enforcement mechanism is located at the lowest level of the operating system kernel, according to the company's FAQ on the NSA deal. [According to Patty Garrison, public relations manager for Secure Computing: "as of right now, we are under contract with the NSA and cannot give out any more information than we did in our FAQ."] Operating from the ground up, so to speak, Type Enforcement is thus able to provide security for all applications and higher-level OS components. Additional flexibility is provided by way of a separation between the policy definition engine and the actual enforcement mechanism. This makes it easier for organizations to custom arrange their own policy engines, rather than accept a singular standard for security.
A public company, Secure Computing's interest in Linux resembles that of many other companies, or in other words, the dollars. "We believe that the market has 'voted' and Linux is rapidly becoming a standard platform for the enterprise and for e-commerce and e-business", read the Secure Computing FAQ rather indubitably. The company says it is porting its applications to Linux, most recently SafeWord v5.1, a scalable authentication program traditionally running on the UNIX platform that is scheduled to be generally available at the end of the month.
With news of Secure Corporation's intention to openly release a Type Enforcement Linux, the one lingering question for some in the Linux community revolves around the origins of the Type Enforcement technology. Of particular interest is the integration of flexible mandatory access controls into operating systems, which was the subject of research at the University of Utah (and conducted in collaboration with the NSA) and their "Flask" system. According to researchers familiar with this project, NSA researchers conducted the actual kernel security changes, with Secure Computing using that NSA-modified kernel for the current Type Enforcement/Secure Linux project.
But the origins of Type Enforcement technology may go back as far as the 1970s; namely, the "Provably Secure Operating System" (PSOS) project the National Security Administration conducted over twenty years ago. Much of the research that went into PSOS involved Formal Methods work done at SRI, International, and the efforts going on with the Hierarchical Development Methodology (HDM) at the time. These efforts led to what one researcher called "the first abstract information flow formulations" of security.